Spring Training Is Over: Is Your Payments Security Roster Set?

Now that spring training is over, your favorite major league teams’ rosters are set and baseball season is in full swing. That means thousands of fans are already flocking to their home team’s stadium to take in America’s past time. Believe it or not, a key component of the baseball experience is payment. From purchasing tickets online, to grabbing snacks at the concession stand and picking up a souvenir at the gift shop, the average baseball fan can encounter multiple payment experiences in just one trip to the ball park.

An omnichannel payment experience at a baseball game delivers two benefits: a great consumer experience for fans and increased revenue for the stadium and team owners. When it comes to the consumer experience, consumers prefer to have options for what payment methods they use for any given transaction, so giving consumers the ability to pay how they want improves their overall experience. For revenue, omnichannel payment offerings can deliver payment assurance, because when consumers can pay the way they want, they are more likely to make extra purchases on things like food and merchandise. Baseball stadiums can also be strategic about where they deliver certain payment options. For example, offering Apple Pay at concession stands creates a faster transaction which improves the consumer experience and also increases the amount of transactions a register can handle per inning. Omnichannel payments in baseball are a homerun.

Healthcare can apply the same game-winning strategy for collecting patient payments. The more payment options you deliver, the more likely you are to collect from patients, and the more likely they are to have a positive overall impression of their healthcare encounter. According to the Hospital Consumer Assessment of Healthcare Providers and Systems (HCAHPS) patient survey, patients who are satisfied with their healthcare payment experience are 5x more likely to recommend the provider.

So, if you don’t already offer omnichannel payment options at your healthcare organization, it’s time to take a second look at your healthcare payments lineup. As a Security Officer, the most important aspect of omnichannel payments for me is how you keep all of those different channels compliant and secure. To get started, let’s take a look at the payment options you should keep on your healthcare payments roster, then we’ll look at the key security components of each that will help all of your payment options running efficiently and compliantly. After all, baseball stadiums don’t need to worry about as much regulation and compliance roadblocks when deciding what payment channels to offer their consumers (e.g., HIPAA), nor are spectator sports a highly-targeted industry for cybercrime like healthcare is.

What Needs to Be on Your Healthcare Payments Security Roster?

Online Payments and Tokenization

As I mentioned, many baseball fans begin their payment experience online purchasing tickets for an upcoming home game. This allows them to have control over their payment experience by selecting their seats, using their preferred payment method and completing the transaction from anywhere, any time and on any device. Healthcare can benefit from online payments for patient payment collections as well. With an online patient portal, your patients can go online from anywhere, 24/7, view their balance information, and easily make a payment using their preferred payment method (e.g., credit card, debit card, eCheck, HSA/FSA/HRA and Apple Pay).

To keep online payment transactions secure, you must utilize tokenization. Tokenization is a way to represent one item without directly having it. In healthcare, when a payment card enters a secure payment application with tokenization, the card information gets converted to a token that is associated with your organization only. The token has no value outside of the payment transaction it was being used for because it is exclusively associated with a healthcare provider’s merchant ID. Tokenization also allows healthcare organizations to save payment information online securely so patients can use their saved payment method for future payments without having to re-enter the information. This is key to automating the payment process to simplify the consumer experience and help providers achieve payment assurance.

For the most secure and convenient experience, you can leverage the InstaMed Secure Token. When a patient goes to make a payment within your patient portal, the InstaMed Secure Token creates a temporary token that creates a seamless experience for patients within your patient portal and ensures that cardholder data never touches your organization’s servers, which can reduce your PCI scope up to 90%.

Point-to-Point Encryption (P2PE) for Point-of-Sale Transactions

Collecting payments in the front office as soon as a patient arrives or before they leave is a great way to achieve payment assurance. To make this experience as convenient as possible, think about the communication between your patients and staff and make sure payment is a part of their conversations. At a baseball game, consumers understand that their ticket only covers the cost of admission and any food, beverages and merchandise they purchase at the game are an additional cost. In healthcare, payment is not always as obvious. Consumers are often unaware of their own payment responsibility, so setting clear payment expectations with patients upfront will help improve the payment experience and encourage more patients to pay you at the time of service. Saving patient payment methods on file and leveraging an estimator tool will also help improve this process.

To keep point-of-sale payments secure, healthcare organizations should leverage P2PE. P2PE is a methodology for securing credit card data by encrypting it from the time a card is swiped, dipped or keyed until it reaches a secure endpoint where it is decrypted. Think about the journey of a baseball from the moment it leaves the pitcher’s arm to the point it lands securely in the catcher’s mitt. P2PE ensures that that baseball is never intercepted by the bat swinging above home plate.

Keep in mind that only solutions listed on the Payment Card Industry (PCI) Council’s website are PCI-Validated P2PE solution providers. To be a PCI-Validated P2PE Solution Provider, a vendor must complete the detailed security requirements and testing procedures outlined by the PCI Council to ensure that their solutions meet the necessary requirements to protect payment card data. If your payment vendor still isn’t listed in 2017, you might want to rethink your starting lineup and make a call out to vendors you’ve kept in the bullpen for some security and compliance relief.

EMV and Apple Pay

Just as a baseball manager wants to ensure they have a well-rounded team filling out their roster, a healthcare professional should want a well-rounded lineup of payment capabilities as well. Therefore, EMV and Apple Pay should definitely be included in your lineup. EMV, which stands for Europay, MasterCard and Visa, is the global standard for chip-based debit and credit card transactions. In October 2015, the major processing banks implemented a shift that transferred fraud liability to merchants who accept fraudulent chip card transactions, unless they use EMV-capable point of sale (POS) devices. In order to avoid fraud liability, merchants across the U.S. upgraded their point-of-sale devices to accept EMV transactions. However, for EMV to work, payment vendors also have to be certified with all major card brands for EMV. This is an expensive but necessary process. If your payment vendor still isn’t EMV-certified in 2017 – almost two years after the liability shift – you might as well be playing in the minor league.

Apple Pay continues to grow in popularity among consumers. In fact, Apple reported that transaction volume was up 500% at the end of 2016, compared to the same period in 2015. Apple Pay allows consumers to use their mobile devices to make payments instead of reaching for their credit card. It’s also incredibly secure. Apple Pay leverages three technologies to support payments: near field communication (NFC), “the secure element” and touch ID. Enabling a payment option that is popular with consumers and offers high levels of payment security is an easy win. What’s preventing you from enabling Apple Pay at your healthcare organization today? Omnichannel payments are just one aspect of what you need for a well-rounded healthcare payments security roster. Check out next month’s Security Corner to learn about the other key healthcare payments players you should consider, as well as the risks you need to make sure you keep out of your lineup.

Want to learn more about security and compliance in healthcare payments before my next blog? Join me for a webinar on April 19th at 3:00 PM ET. I’ll be joined by health law and HIPAA expert Matt Fisher of Mick O’Connell as we discuss security and compliance for today’s healthcare organizations. Register here.

The views expressed within posted comments do not necessarily reflect the views or opinions of InstaMed.